Bahamut is a notorious cyber-mercenary group that has been active since 2016 and is currently targeting Android devices with fake VPN apps and injecting malware to steal user credentials. The malware-laden apps were first discovered by Slovakian cybersecurity firm ESET’s Lukáš Štefanko.
Beware of Bahamut
ESET researchers discovered a new attack spree from the infamous cybercrime group Bahamut. The group launched malware attacks through fake Android VPN applications. Research revealed that hackers use malicious versions of SoftVPN, SecureVPN, and OpenVPN software.
In this highly targeted campaign, hackers aim to extract sensitive data from infected devices. The campaign was started on January 22. The fake VPN apps are distributed through a bogus SecureVPN website. In previous campaigns from Bahamut, the prime targets were located in the Middle East and South Asia.
8 Variants of Spyware Apps Detected
Researchers have identified 8 different variants of the infected apps. These contain trojanized versions of genuine VPN apps such as OpenVPN. Bahamut is offering these fake VPN apps as a service for hire.
According to ESET’s blog post, attacks are launched via spear phishing messages and fake apps. Researchers believe that this campaign is still active.
Reportedly, the targets are carefully selected because the app requires the victim to enter an activation key to enable the features using a distribution vector. The activation key is designed to establish contact with the attacker-controlled server and prevents the malware from accidentally triggering after it is launched on a non-targeted device.
How does the Attack Works?
According to Štefanko, the fake app requests an activation key before the VPN and spyware feature is enabled. The key and URL are sent to the targeted users. After the app is activated, the hackers get remote control of the spyware and can infiltrate/harvest confidential user data.
Furthermore, hackers can spy on almost everything stored on the device, including call logs, SMS messages, device location, WhatsApp data and other encryption app data, Telegram and Signal data, etc. The victim remains unaware of the data harvesting.
“The data exfiltration is done via the keylogging functionality of the malware, which misuses accessibility services,” Štefanko said.
It is worth noting that the malicious software linked with the service and the malware-infected app wasn’t promoted on Google Play. Moreover, researchers are clueless about the initial distribution vector, but they believe it is through social media, SMS, or email.